How to prepare for NIS2
Cyberattacks are the fastest-growing form of crime worldwide, says the European Parliament. Not only are they growing in scale, but they are also growing in cost and sophistication.
Add to that, we live in an increasingly connected world. Just one example of that is the rapid growth of the Internet of Things (IoT). According to Verizon, there will be 22.3 billion IoT devices by 2024. “Data compromises are considerably more likely to result from external attacks than from any other source,” Verizon says.
It’s becoming harder and harder to protect your externally facing assets, out of the sheer number of them, and from the difficulty in knowing what they all are.
Growing cybersecurity challenges like these have led the European Union to look for ways to increase the protection of its citizens and companies against cyber threats and attacks, according to the European Parliament.
That’s why EU issued the second Network and Information Security (NIS) Directive--or NIS2-- on Jan. 16, 2023. Countries in the EU have until Oct. 17, 2024, to make it part of their national law.
NIS2 harmonizes cybersecurity across the EU and encourages organizations to be proactive rather than reactive. It’s all part of the European Commission's priority to make Europe “fit for the digital age” with better cybersecurity, EU says.
But how does that involve you?
Your obligations under NIS2
Depending on how mature your vulnerability management plan is, doing things the same old way may no longer be good enough under NIS2.
You are likely going to need better penetration testing and risk-based vulnerability management than what was needed to comply with the original NIS directive, published back in 2016.
The original NIS directive focused on strengthening cybersecurity at a national level, enhancing collaboration between member states and enterprises and incorporating cybersecurity into companies’ cultures.
Organizations that had to comply with the first NIS directive included operators of essential services and relevant digital service providers. NIS2 will require member states to expand that to include transportation, banking, financial assets, health sector, digital infrastructure, drinking water and energy.
Under NIS2, enterprises will need to have top-notch:
- business continuity policies
- supply chain security
- security in network and information systems
- disclosure policies
- cyber hygiene
- cybersecurity training
- cryptography and encryption
- human resources security
- asset management
- use of multi-factor authentication
In addition, you’ll have to:
- handle breach incidents competently
- know all your assets and keep them secure
- conduct good risk analysis
- optimize your incident response management plan
Expect penalties for non-compliance
NIS2 calls for better and stricter measures for enforcement and gives member states until Jan. 17, 2025, to get those in place. Non-compliance could result in costly penalties.
Ernst and Young says, NIS2 introduces stricter penalties for non-compliance, including fines of up to 2% of an entity's annual turnover.
Article 36 of the NIS2 legislation mandates member states to take all the measures necessary to ensure that compliance measures are implemented, and says penalties should be “effective, proportionate and dissuasive.”
The European Parliament says NIS2 aims to establish a high common level of cybersecurity across the EU. It plans to do this, in part, by harmonizing sanctions across the EU.
How Hadrian can help you comply with NIS2
NIS2 will require better penetration testing and risk-based vulnerability management, attack surface management, automated penetration testing, vulnerability management and exposure management.
The good news is, Hadrian can help with all of this, and more. We can help you:
Know your attack surface
Under NIS2’s article 21, you’ll need to “take appropriate and proportionate technical, operational and organizational measures to manage the risks to the security of network and information systems.” To do that, you’ll need to begin by knowing your attack surface. But all this is nearly impossible without a mature vulnerability management strategy.
Seven out of 10 organizations have experienced an attack targeting an unknown or poorly managed external-facing asset. Hadrian can help you monitor your attack surface with continuous asset discovery. We help you gain complete visibility of external-facing assets and reduce the risk of a breach caused by an exposed asset. By continuously discovering and taking inventory of your internet-facing assets, we provide you with comprehensive visibility.
We protect any exposed IoT and OT assets by identifying, mapping, and contextualizing your IoT and OT devices, discovering potential attack vectors. We also provide comprehensive cloud monitoring. Hadrian continuously scans, detects, and remediates misconfigurations and other threats to multi-cloud infrastructure to prevent breaches.
External attack surface management is becoming more complex because assets are not only linked by connection within the infrastructure, but by the way an attacker moves between them. Hadrian enhances cybersecurity with automated penetration testing, emulating hackers for comprehensive security validation using its event-based AI. We find and eliminate your most impactful vulnerabilities with our comprehensive, real-time vulnerability management solution.
Protect the supply chain
Hadrian can defend against supply chain attacks with 3rd party risk monitoring. We continuously assess 3rd party applications for risks that could result in a breach of your critical data.
Section 24 of NIS2 calls for member states to put in place an automatic and direct reporting mechanism that ensures systematic and immediate sharing of information, where appropriate. It also sets up a timeline for reporting, starting with an early warning at 24 hours and full communication at 72 hours. Hadrian automates reporting by providing consistent and accurate insights. Our on-demand reports can be easily exported and shared.
Harden your attack surface
Hadrian’s Continuous Threat Exposure Management (CTEM) is offensive security testing. It helps you identify and effectively harden your attack surface. Our CTEM provides real-time insights into where your organization is weak and determines what a threat actor is most likely to attack.
Many organizations fail to prioritize vulnerabilities and instead focus on remediating vulnerabilities based on their age or contextless scoring such as CVSS. This approach can result in critical risks being left unaddressed, which can lead to security breaches.
Assets don’t exist in a vacuum. They are connected to each other, and a risk in one asset can trigger a risk in another. A strong attack surface management tool needs to take cross-asset testing into account.
Seven out of 10 organizations have experienced an attack targeting an unknown or poorly managed external facing asset, 30% more external assets than companies expected, with the average weekly remediation and vulnerability detection costing on average, $20,000.
This is why the hacker's perspective is so important. Organizations need to know where their weak spots are and how they can be attacked. Companies need a holistic view of their environment, so they can spot the small oversights that would let an attacker in.
Hadrian’s platform is built expressly by hackers to catch hackers. We look at your attack surface like a hacker would, from the outside in, and we know how hackers use one asset to get to another.
In addition, we prevent unauthorized credential use by detecting credential leakage in source code, GitHub/GitLab environments, and configuration files.
We proactively secure subdomains from hijacking attempts and ensure that your business operations are uninterrupted.
“The goal of the NIS2 Directive is to enhance cybersecurity and resilience in European Union organizations,” says Ernst & Young (EY). NIS2 expands its scope to cover more sectors and focuses on the need for consistent implementation across all EU member states.
Now is the time to prepare for compliance with NIS2. Set up a roadmap for how to meet the requirements and increase your cybersecurity awareness, EY says.
Also remember that getting support from top management will take time, as will getting the budget and resources you will need for compliance with NIS2. So plan early to allow for delays in your preparation. The bottom line advice is: “commit to strict planning with hard deadlines,” EY says.
Contact Hadrian to learn how we can get you ready for NIS2 and help you avoid penalties.